I use twitter4j in a twitter client with OAuth.
The same AccessToken is used to make calls to the api concurrently:
to make calls to get/followers/ids and to get/friends/ids.
As I get quite a few 401 errors during these calls, I wondered if this concurrent use of the same AccessToken was a possible source of the problem?
Notes for clarification:
- the 401 code corresponds to an auth error in theory, but my auth is ok.
- the doc says the twitter4j Twitter object is fit for concurrency, but my question is, even when the same AccessToken is passed to it?
Related
When we are accessing Asana API we are using the Asana node client v0.15.0 together with an Tampermonkey script. The Api is responding with an 401 (Unauthorized).
This worked a couple a days ago. I have tried with new Personal Access Tokens but still get the same error.
While fiddling the request I tried to change the auth-header Bearer to be lower cased.
Authorization: Bearer my-personal-access-token ->
Authorization: bearer my-personal-access-token.
This seems to work fine, that indicates that something changed on Asana's side.
The node-asana js client lib does not let me modify the request before sending it to Asana API.
According to Asana API support it is on stackoverflow that I should ask about help on this matter.
EDIT
By some further investigation it seems that when we send in the cookie
auth_token=My auth token we do get the 401 error. But If removing the cookie and reissue the request in fiddler it works fine.
Another note is that now we do not get any custom_fields in the response from e.g https://app.asana.com/api/1.0/tasks/TaskId
I'm a Developer Advocate at Asana. You've caught something that is a known issue and we're working on a fix :) We're rolling out a new version of our API. It's intended to be backwards-compatible with the older implementation, but giving us multiple forms of authentication is one of those cases where we do something different between the two.
For security purposes, we initially implemented this in the new version to not allow requests with multiple forms of authentication, but it turns out that in-browser integrations were affected in precisely the way you're seeing: being logged into Asana, which causes your browser to send your authorization credentials for requests to asana.com automatically, and also authorizing "the right way" for our API with OAuth or a Personal Access Token will end up breaking. We're working on a fix that will allow this to work for the case when both the logged in (cookie) user and the API (access token) user are the same.
If this is an urgent issue and you want to force the old behavior to happen while we roll out the fix in our newer API implementation, you can set a header as described in that link --^ to force your requests on to the old API. Once we get the new API fully deployed and stable, though, we'll deprecate that header, so please be cautious in relying on it for a long-term solution.
Sorry that this has caused issues for you, and thanks for creating this question to let us know!
I have successfully implemented the Twitter Authentication in my .net core project. in the ExternalLoginCallback (Account Controller), I am receiving the access_token and access_token_secret after successful authentication with twitter.
How am I meant to use those to call the twitter REST API in order to receive further information about the user?
It looks like the API needs different keys for the authorisation.. See here:
Authorization:
OAuth oauth_consumer_key="xxxxxxxxxxx",
oauth_signature_method="HMAC-SHA1",oauth_timestamp="xxxxxxxxxxx",
oauth_nonce="xxxxxxxxxxx",
oauth_version="1.0",oauth_token="xxxxxxxxxxx-xxxxxxxxxxx",
oauth_signature="xxxxxxxxxxx"
I have replaced all values with xxxx..
Hope you can provide me with the missing puzzle piece!
Thanks, Nik
It looks like you're building the autorization string property.
The last step is to send the request to the Twitter endpoint, setting the value of the header to your authorization string.
https://dev.twitter.com/oauth/overview/authorizing-requests
I want to get user profile for which I am using OAuth. http://developer.yahoo.com/oauth/guide/oauth-auth-flow.html
I have retreived the access token and now finally I need to call yahoo api by making a GET request according to http://developer.yahoo.com/oauth/guide/oauth-make-request.html#
The GET request I am sending is:-
http://social.yahooapis.com/v1/user/KMDUY7SWWTJOX4AS3XR47PNLQU/profile?format=json
&realm="yahooapis.com"
&oauth_consumer_key=my key
&oauth_nonce=24829.2331
&oauth_signature_method=plaintext
&oauth_timestamp=1219450170
&oauth_token=whole token here
&oauth_version=1.0
&auth_signature="consumer secret + token secret"
When I am sending this request it is giving me this error:-
{"error":{"lang":"en-US","description":"Please provide valid credentials. OAuth oauth_problem=\"token_rejected\", realm=\"yahooapis.com\""}}
Thankyou for your time and consideration.
I was having this issue for a while and then eventually I figured out that Yahoo! puts A= at the beginning of all of their access tokens in their response, but that is not actually part of the access token, so you should be sure to remove that part before responding back to Yahoo!
I hope this helps someone else that stumbles upon this page in the future.
probably in your case the issue is related with the protocol. You should use https when calling the Yahoo! API.
As they say in the Yahoo documentation here:
For requests to Yahoo API and Web services that require OAuth
authorization, you must use the HMAC-SHA1 encryption method because
requests are made insecurely using HTTP.
I have been trying with the simple REST Client as well as the REST Plugin for Mozilla. I am getting
"HTTP/1.1 401 Unauthorized" response with
"{"error":"unauthorized_client","error_description":"the client is not authorized"}" in the body.
I have been successful in getting the auth code, and the below is the POST request for access token, (Scope is r_fullprofile)
https://www.linkedin.com/uas/oauth2/accessToken?grant_type=authorization_code&code=AQTQeBxBzbU2aNWaQM6Ff3Z3bUd8Gyg10W9G2DdqXgWiP0q7-M55c5PLtppP7Ni3Y-6A9C8yDkj9K4VfJ7QkRUFjuV-3AknA5jAahpsFJv3wYfr8XD8&redirect_uri=https://www.google.com&client_id=75wl6j5zndvfkp&client_secret=secret
The redirect_uri=https://www.google.com is the one used for getting auth code as well.
Do we need to perform any URL encoding before making the POST request?
When I log into the linked in to my app, it has the below tokens,
OAuth User Token: c3ae4cee-1b23-xxx-9d2a-206f578dee4d
OAuth User Secret: 76bc48cc-c94f-xxx-bf9d-a663f7003383
I am not sure where it is used. we are using API & secret key to get auth code.
Thanks in Advance.
This is a 2-step process.
First, go to:
https://www.linkedin.com/uas/oauth2/authorization?response_type=code&client_id=YOUR-API-ID&scope=r_basicprofile&state=STATE&redirect_uri=YOUR-ENCODED-REDIRECT-URI
Then, within 10 secs of receiving the response, go to:
https://www.linkedin.com/uas/oauth2/accessToken?grant_type=authorization_code&redirect_uri=YOUR-ENCODED-REDIRECT-URI&client_id=YOUR-API-ID&client_secret=YOUR-API-ID&code=THE-CODE-OBTAINED-IN-FIRST-STEP
The response of the second request will have the actual access token you need to use.
When I followed the two steps I faced an issue where I got an error as
{"errorCode":0,"message":"Access to posting shares denied","requestId":"TYWULO2WPZ","status":403,"timestamp":1497353538016}
So I had to remove the &scope=r_basicprofile since it was preventing reading all the Default Application Permissions
I faced a similar problem and the problem was with the initial authorization code. You should mention the scope=rw_company_admin or whatever it is that you want to authorize to while doing the initial redirect URL call. Something like this -
https://www.linkedin.com/oauth/v2/authorization?response_type=code&client_id=your_client_id&redirect_uri=https%3A%2F%2Fwww.google.com/&state=12345&scope=rw_company_admin%20r_emailaddress%20w_share%20r_basicprofile
There are no clear docs or anything. shadowhand's demo repo is broken. How to actually use Twitter Oauth provider in Kohana 3.0?
It's a bit complicated, but the steps basically are:
Build an OAuth_Consumer
Build a OAuth_Provider (twitter)
Get a request token
Redirect them to the authorize_url
Get the callback
Exchange the request token for an access token
Make API calls
Here's an example controller that does all of that: https://gist.github.com/1267793